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PART 9 THE INTERNET, INTRANETS, AND THE OUTSIDE WORLD 


How Financial Transactions 
Work on the Internet 


Gabriel browses through an electronic catalog on a Web site 
and he decides to buy a camcorder. To use the Secure 
Electronic Transaction protocol (SET) to pay for it, he will need 
a credit card from a participating bank and a unique "electronic 
signature" for his computer; this will verify that he is making 
the purchase, not an impostor. (In SET, everyone involved in the 
transaction, needs electronic signatures identifying them.) SET 
also uses public-key encryption technology to encrypt all the 
information sent between everyone involved in the transaction. 
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Gabriel fills out an order form detailing what he wants to buy, its price, any shipping and handling fees, 
and taxes. He then selects the method he wants to use to pay. In this case, he decides to pay electroni- 
cally over the Internet. At this point, he doesn't send his precise credit card number, but instead indi- 
cates which credit card he wants to use. The information he sends includes his electronic signature so 
the merchant can verify it is really Gabriel who wants to do the ordering. 


The merchant receives the order form from Gabriel. The merchant's software creates a unique transac- 
tion identifier so the transaction can be identified and tracked. The merchant sends this identifier back 
to Gabriel along with two "electronic certificates," which are required to complete the transaction for 
his specific bank card. One certificate identifies the merchant and the other certificate identifies a spe- 
cific payment gateway — an electronic gateway to the banking system that processes online payments. 
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Gabriel's software receives the electronic certificates and uses them to create Order Information i jl) 
and Payment Instructions (PI). It encrypts these messages and includes Gabriel's electronic signature 
in them. The 01 and the PI are then'sent back to the merchant. 
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The merchant's software decrypts Gabriel's 01 and uses the electronic signature that Gabriel sent 
to verify that the order is from him. The merchant sends verification to Gabriel that the order has 
been made. 
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The payment gateway 
decrypts the messages 
and uses the merchant's 
digital signature to verify 
that the message is from 
the merchant. By exam- 
ining the PI, it verifies 
that they have come from 
Gabriel. The payment 
gateway then uses a 
bank card payment sys- 
tem to send an authoriza- 
tion request to the bank 
that issued Gabriel his 
bank card, asking if the 
purchase can be made. 


The merchant's software creates an au- 
thorization request for payment and in- 
cludes with the merchant's digital 
signature the transaction identifier and 
the PI received from Gabriel. He encrypts 
all of it and sends the encrypted request 
to the payment gateway. 


Order form 


Gabriel's digital 
signature 


Merchant digital 
signature 


When the bank responds that the pay- 
ment can be made, the payment gate- 
way creates, digitally signs, and encrypts 
an authorization message, which is sent 
to the merchant. The merchant's soft- 
ware decrypts the message and uses 
the digital signature to verify that it came 
from the payment gateway. Assured of 
payment, the merchant now ships the 
camcorder to Gabriel. 


Payment gateway 
electronic signature 


Unique transaction 
identifier 


Merchant electronic 
certificate 


CAPTURE 

REQUEST 


Some time after the transaction has been 
completed, the merchant requests pay- 
ment from the bank. The merchant's soft- 
ware creates a capture request, which 
includes the amount of the transaction, 
the transaction identifier, a digital signa- 
ture, and other information about the 
transaction. The information is encrypted 
and sent to the payment gateway. 


Payment gateway 
electronic certificate 


Hi The payment gateway de- 
crypts the capture request 
and uses the digital sig- 
nature to verify it is from 
the merchant. It sends a 
request for payment to 
the bank, using the bank 
card payment system. It 
receives a message au- 
thorizing payment, en- 
crypts the message, and 
then sends the authoriza- 
tion to the merchant. 


Encryption key 


Order information 


Payment/instructions 


Authorization 

request 


The merchant software decrypts the 
authorization and verifies that it is 
from the payment gateway. The soft- 
ware then stores the authorization that 
will be used to reconcile the credit card 
payment routinely when it is received 
from the bank. 


Authorization 

message 


CAPTURE 

REQUEST 


Capture request 




Anonymous Payment Works 


PART 9 THE INTERNET, INTRANETS, AND THE OUTSIDE WORLD 


How Anonymous 
Payment Wo^ks 


An electronic "wallet" helper ap- 
plication is used to purchase elec 
tronic currency from a "bank," 
then pay for items using this elec- 
tronic money. The bank may be 
an actual banking institution or a 
payment processing center. In ei- 
ther cr.se, the customer makes a 
withdrawal from the bank using 
the wallet software. 


The software issues electronic cur- 
rency, generating for each digital 
"coin" a unique, random serial num- 
ber. The serial numbers are masked 
by multiplying the coins by a random 
number. 


The coins are packaged into a 
message, digitally signed by 
the user's private identifica- 
tion key, encrypted with the 
bank's key, and sent to the 
bank. Only the bank can de- 
crypt the message. 
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The merchant then validates the electronic coins by 
sending them to the bank and exchanging them for 
new coins with the merchant's key (or by depositing 
them in the merchant's account). The masking and 
encryption process works the same between the 
merchant and the bank as it does between the cus- 
tomer and the bank. 


The bank receives the message, verifies the sig- 
nature, and debits the amount of the withdrawal 
from the customer's account. The bank validates 
the coins, encrypts them with the customer's 
key, and returns them to the customer. The cus- 
tomer can decrypt the validated coins and un- 
mask them by dividing out the random number. 
Because the bank never sees the serial number, 
the coins cannot be traced back to the customer. 


When the customer wants to purchase an item, he or she typi- 
cally fills out a Web-based order form and the request is sent to 
the merchant's server. The request is passed through CGI to the 
merchant's wallet software, which sends a payment request to 
the customer's wallet. The customer's wallet sends the appropri 
ate coins to the merchant's wallet and receives a receipt. When 
this process is complete, the purchased item (information or ac- 
cess to an online game, for example) or a notification of receipt 
is passed back through CGI and sent to the customer's browser. 



How Cryptosystems Work 


PART 10 SAFEGUARDING THE INTERNET 
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^3 Gab'-iel now uses his private key to encrypt the message n 
digest. This produces a unique digital signature that only [M 
he, with his private key, could have created. 


Gabriel generates a new random key. He uses this key to en- 
crypt his original message and his digital signature. Mia will 
need a copy of this random key to decrypt Gabriel's message. 
This random key is the only key in the world that can decrypt 
the message — and at this point only Gabriel has the key. 


Gabriel wants to send a confidential message over the Internet to Mia. 
Mia will need some way to decrypt the message as well as a way to 
guarantee that Gabriel, and not an imposter, has actually sent the 
message. First, Gabriel runs his message through an algorithm called 
a hash function. This produces a number known as the message di- 
gest. The message digest acts as a sort of "digital fingerprint" that 
Mia will use to ensure that no one has altered the message. 
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Gabriel encrypts this new random key with Mia's public 
key. This encrypted random key is referred to as the digital 
envelope. Only Mia will be able to decrypt the random key 
because it was encrypted with her public key, so only her 
private key can decrypt it. 


Gabriel sends a message over the Internet to Mia that is 
composed of several parts: the encrypted confidential 
message, the encrypted digital signature, and the en- 
crypted digital envelope. 
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□ 


Mia gets the message. She decrypts the 
digital envelope with her private key 
and out of it gets the random key that 
Gabriel used to encrypt the message. 



Original message 




Mia uses the random key to decrypt 
Gabriel's message. She can now read 
the confidential message that he sent 
to her. However, she can't yet be sure 
that the message hasn't been altered 
en route to her or that Gabriel was 
definitely the sender. 


f NDOM 
KEY 




‘VS 1 

Hash function 



Message digest 



Gabriel’s public key 



Mia now uses the random key and 
Gabriel's public key to decrypt his 
encrypted digital signature. When 
she does this, she gets his message 
digest, the message's "digital finger- 
print." 





Gabriel’s private key 



Mia’s public key 



Mia’s private key 


□ 


Mia will use this message digest to 
see whether Gabriel indeed sent 
the message and that it was not al- 
tered in any way. She takes the mes- 
sage that she decrypted and runs it 
through the same algorithm — the 
hash function — that Gabriel ran the 
message through. This will produce 
a new message digest. 






Digital signature 
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Random key 



Encrypted message 


□3 



Mia compares the message digest 
that she calculated to the one that 
she got out of Gabriel's digital sig- 
nature. If the two match precisely, 
she can be sure that Gabriel signed 
the message and that it was not al- 
tered after he composed it. If they 
don't match, then she knows that 
either he didn't compose the mes- 
sage, or that someone altered the 
message after he wrote it. 





How Digital Certificates 
Ensure Internet Security 


A digital certificate is used to guarantee that the person who sends information or email over the 
Internet or who makes a financial transaction really is who he says he is. This illustration shows 
how a digital certificate would be used to guarantee that the person sending an email is being 
truthful about his identity. 




You'll be issued a digital certificate, which has 
been digitally signtyJto guarantee its authentic- 
ity. The certificate is data unique to you, and is 
put on youc.hard disk, along with a private key 
(see Chapter 49 for information about keys). 


Name: Gale Gralla 
Authority: Veri Pure 
Serial Number: 000516 
Version Number: 3 

Expires: 9/29/09 


Digital certificates are issued by 
Certificate Authorities (CAs). To get a digi- 
tal certificate, you typically visit a CA site 
cind request . cerfificfte. You'll provide 
information about yourself, such as your 
name and other identifying information. 


The digital certificate is composed of in- 
formation such as your name, the name 
of the CA, the unique serial number of the 
certificate, the version number of the cer- 
tificate, the expiration date of the certifi- 
cate, your public key, and the digital 
signature of the CA. The exact format of 
the certificate is defined by a standard 
known as X.509. 
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CHAPTER 50 


When you want to send email 
to someone and have them 
know for certain that it is you 
and no one else who has sent 
the mail, you attach the digital 
certificate to your email mes- 
sage. One of the things that 
the certificate does is sign the 
message with a private key 
that you were given as part of 
the digital certificate. 


The person you're sending email to gets your digital certificate along 
with your email. The key is used to read the private key's signature. That 
signature matches information found in the digital certificate, and so the 
receiver is assured that the message really came from you. . 






